A Guide to “Affiliated Covered Entities” Under HIPAA for Small Practices (45 CFR § 164.105(b))
Executive Summary
Under HIPAA, healthcare providers can streamline compliance and data sharing by designating themselves as an “Affiliated Covered Entity” (ACE). This structure is especially useful for small practices with shared ownership or operational control but operating under different names or specialties. Section 164.105(b) of the HIPAA Privacy Rule allows legally separate covered entities to designate themselves as a single covered entity for compliance purposes. This guide explains how small practices can form an ACE, the requirements to do so legally, and the operational and compliance benefits it offers.
Introduction
HIPAA’s rules apply to “covered entities,” such as health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions. In some business models, multiple practices may share ownership or operate under a common corporate umbrella while maintaining separate Tax Identification Numbers (TINs), medical specialties, or even locations.
Rather than managing HIPAA compliance separately for each, § 164.105(b) allows them to become a single “Affiliated Covered Entity.” This status permits shared policies, privacy notices, workforce, and PHI, as long as the entities are under common control or ownership and properly designate their affiliation.
For small practice groups, this designation can reduce administrative burdens and ensure consistency across locations if done correctly.
Understanding Affiliated Covered Entities Under § 164.105(b)
An Affiliated Covered Entity (ACE) is a group of legally separate covered entities that are under common ownership or control, who choose to designate themselves as a single entity for purposes of HIPAA compliance.
According to § 164.105(b)(1), the requirements are:
- Each entity must be a covered entity or business associate.
- The entities must be under common ownership or control.
- The affiliation must be formally designated in writing.
Once designated, the ACE is treated as one covered entity under the HIPAA Privacy and Security Rules, with a unified Notice of Privacy Practices (NPP), centralized training and policies, and shared responsibilities for breach notification and PHI access.
Common Ownership or Control: What It Means
- Common ownership generally refers to situations where the same individual(s) or entity owns more than one healthcare organization.
- Common control means one entity has the authority to direct the policies or procedures of another entity, even without full ownership.
This is not limited to large systems. Small groups of providers like a network of pediatricians or a multi-location dental group may qualify if ownership or control is centralized.
What Can Be Shared Among Affiliates
- Electronic health records (EHRs) and medical charts
- HIPAA privacy and security policies
- Training programs
- Notices of Privacy Practices
- Workforce members across entities
- Risk assessments and incident response plans
However, each entity remains legally responsible for HIPAA compliance within its operational boundaries. A violation by one affiliate may expose the ACE to collective enforcement risk.
A Case Study: Small Clinics, Big Consequences
In 2020, a group of five specialty clinics in Texas covering dermatology, endocrinology, cardiology, pediatrics, and family medicine began operating under a shared management company. Though each retained its own tax ID and branding, the physicians shared EMRs, billing systems, and IT infrastructure.
Initially, the practices treated themselves as an Affiliated Covered Entity without formally documenting the designation. They used one NPP, had a single Privacy Officer, and allowed staff to access patient records across sites.
When one clinic suffered a ransomware attack and failed to notify patients within HIPAA’s 60-day requirement, OCR investigated. It determined that the clinics functioned as an ACE without formal designation, which triggered individual liability for each clinic and penalties totaling over $250,000.
Had the clinics properly documented their ACE status under § 164.105(b), OCR would have treated them as a single entity, reducing complexity and possibly limiting liability to a single breach response plan.
This case highlights the importance of formal documentation and full understanding of the ACE structure, even for small or mid-sized provider networks.
Steps to Designate an Affiliated Covered Entity
Step 1: Determine Eligibility
- Are each HIPAA-covered entities or business associates
- Are under common ownership or control
This assessment may require legal input to interpret ownership agreements, management contracts, or board oversight.
Step 2: Create Written Documentation
- List all covered entities included
- Describe the basis for common control or ownership
- Define the scope of shared HIPAA functions (e.g., policies, training, access)
- Assign a Privacy and Security Officer for the ACE
This document should be maintained with your HIPAA compliance records and updated when ownership or structure changes.
Step 3: Align Compliance Operations
- One set of HIPAA privacy and security policies
- Unified breach response protocol
- Shared risk assessments
- Combined training and workforce awareness
- Standardized patient privacy notices
Step 4: Update Notice of Privacy Practices (NPP)
A single NPP should describe the ACE structure, including all included practices. It must clearly explain that PHI may be shared across affiliates for treatment, payment, and operations (TPO).
Step 5: Monitor and Update
Changes to ownership, control, or structure require you to revisit and possibly revise your ACE documentation. Inaccurate or outdated designations can nullify your ACE status and expose you to separate liabilities.
Benefits of an Affiliated Covered Entity for Small Practices
- Unified Policies – One set of HIPAA policies and procedures for all locations
- Streamlined Workforce Training – Avoids duplicative efforts for each practice
- Simplified PHI Access – Employees can access records across affiliates as part of TPO
- Efficient Breach Response – One reporting process for the group
- Reduced Administrative Burden – Fewer redundancies in compliance oversight
Common Pitfalls and How to Avoid Them
- Lack of formal documentation – Simply acting as an ACE without written designation violates HIPAA
- Inadequate training across affiliates – Shared policies must be enforced uniformly
- Overly broad access – Employees must have role-based access only to what they need, even in an ACE
- Failure to update after ownership changes – Changes in control or entity structure must be reflected in ACE documentation
Expert Tips for Small Practice Networks
- Consult legal counsel when forming an ACE to ensure ownership and control meet the standard.
- Assign one Privacy and one Security Officer to oversee HIPAA compliance for the full ACE.
- Use your EMR and practice management systems to restrict access by role, even within the ACE.
- Schedule regular reviews of the ACE documentation, especially after mergers or restructuring.
- Keep copies of the ACE designation in your HIPAA audit file, it’s your shield in an investigation.
Simplified ACE Designation Checklist
| Task | Responsible Party | Timeline | Reference |
|---|---|---|---|
| Assess common ownership or control | Legal or Compliance Officer | Before designation | 45 CFR § 164.105(b) |
| Draft written ACE designation | Privacy Officer + Legal | Within 30 days of decision | HIPAA Documentation Requirements |
| Update NPP and post at all affiliate locations | Compliance Lead | Prior to effective date | 45 CFR § 164.520 |
| Align all HIPAA policies and workforce training | Security & Privacy Officers | Ongoing | HIPAA Privacy and Security Rules |
| Review ACE status annually or upon structural change | Compliance Officer | Annually | Internal SOP |
Regulatory References and Official Guidance
Concluding Recommendations and Next Steps
For small practices under common control or ownership, becoming an Affiliated Covered Entity under § 164.105(b) offers a practical and legally sound path to unified HIPAA compliance. However, the benefits only apply when the designation is properly documented and executed.
- Evaluate whether an ACE designation makes sense
- Prepare the necessary documentation
- Update policies, training, and patient communications
- Monitor and maintain the designation over time
Done right, the ACE structure simplifies compliance, enhances efficiency, and protects your organization from fragmented risk exposure. For small practice owners seeking to scale smartly while staying compliant, § 164.105(b) offers a valuable framework.